this post was submitted on 12 Jun 2024
78 points (93.3% liked)

Linux

48323 readers
647 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

target OS is debian or linux mint

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 58 points 5 months ago (2 children)

Pro apt:

  • storage efficient
  • may be optimized for stuff like x86_64 v3 or v4
  • runs as many users and easily from terminal
  • needed for some low level stuff like system packages

Contra apt:

  • a ton of stuff comes from outside the main Ubuntu repo. Debian doesnt have that difference afaik but still many packages may be more abandoned
  • 3rd party packaging 99% of the time, i.e. "unverified". I had a lot of strange bugs especially with Ubuntu packages
  • the apps ars not isolated at all

Pro Flatpak

  • a ton of verified apps, nearly unavailable on other repos (that still doesnt make unverified apps insecure!)
  • all apps have a sandbox that can be graphically hardened to be more secure, if the defaults are too broad
  • by defaults the sandbox is pretty good
  • many many apps that run everywhere

Contra Flatpak

  • not suited for some apps like terminal apps or system stuff
  • some apps are less maintained and use EOL runtimes etc
  • some more storage space needed
  • need user namespaces, nearly all distros have them enabled
  • a bit slower startup time but okay
  • a bit more RAM usage
[–] [email protected] 9 points 5 months ago* (last edited 5 months ago) (1 children)

In general I agree, though had something to add regarding these points:

by defaults the sandbox is pretty good

This is a rather major problem with Flatpak; the maintainer decides what permissions they need by default, not the user. The user needs to retroactively roll them back or specify global options and manually override them per-app, but that's not user-friendly at all. Though many Flatpaks do have good permissions because Flathub maintainers step in and offer suggestions before approving the Flatpak for publication, there are a number of Flatpaks that punch big holes in the sandbox; so much so that they might as well be unsandboxed.

But Bottles has a great sandbox, for instance, which is just what you'd want when running lots of proprietary Windows applications you maybe don't trust as much as your Linux-y software.

It's better than what we have with traditional packages but it can sometimes get in the way and not all beginners can easily figure out how to fix permissions issues with Flatseal. This will probably improve as we get more portals built.

some apps are less maintained and use EOL runtimes etc

Not much is different for distribution-maintained packages, either. See TheEvilSkeleton's post about how there are over 1200 unmaintained packages in the Debian repositories, and even over 400 in Arch's much smaller repositories that are outdated (!). At least Flathub applications are usually maintained by upstream, and so are usually as up to date as they can be.

not suited for some apps like terminal apps or system stuff

This isn't really true. It's only true when terminal applications need privileged access to something. Flathub ships Mesa userpace drivers and NVIDIA's proprietary userspace drivers just fine. You can package something like yt-dlp in Flatpak just fine with --filesystem=host. Hell, they've even got Neovim on Flathub. Sure, it's a little more cumbersome to type, but you can always create an alias.

Flatpak is not suitable for all graphical applications, either. Wireshark's full feature-set cannot be supported, for example.


I would add that:

  • You can easily rollback Flatpaks to a previous version (even from a long time ago) with flatpak update --commit. Much harder with traditional package systems, and you'll probably need to downgrade shared libraries too.
  • You get a consistent build environment with Flatpak manifests. If you want to build a newer version of a stable package you're using straight from master or with a few patches, all you really need to do is clone it from flathub/whatever, change a few lines, and it has a very high chance of building properly. No need to figure out dependencies, toolchains, or sane build options. And it's all controlled from an easy-to-read and modify file.
[–] [email protected] 2 points 5 months ago (1 children)

defaults

The default is completely sandboxed. Developers need to allowlist exactly what they want. So it is transparent.

Compare that to a random app where you need to monitor its syscalls to see what it does.

KDE Plasma now includes a GUI settings page that allows to change these.

I think GNOME needs to integrate that into their settings, I mean just include damn Flatseal as a settings page...

specify global options

This is supercool and I started doing that. All apps get the env vars to force Wayland now even though they may not use it. I have my overrides and uploaded them to my dotfiles.

But Bottles has a great sandbox

Echo that

over 1200 unmaintained packages in the Debian repositories, and even over 400 in Arch's much smaller repositories

This is crazy, same on Fedora. Distros really need to start using separate repos, and automatically filter out everything that didnt get a "I maintain this" for a while.

There are packagers maintaining a shitload of apps at once.

Flathub applications are usually maintained by upstream

Not always but having this at all, and having most big names in there, is incredible. This is like a first time this happens.

easily rollback Flatpaks

Ostree is great

consistent build environment

And having it declared centrally can help add all the security benefits of the individual ones too. Really nice

[–] [email protected] 2 points 5 months ago (1 children)

The default is completely sandboxed. Developers need to allowlist exactly what they want. So it is transparent.

The default before the developer touches it doesn't matter; compare this to Android, iOS, or macOS's permission system. An app needs to ask for permission to use the microphone or access your files. With Flatpak, all a developer needs to do is specify --filesystem=home or --socket=pulseaudio and if the user hasn't specified global options like --nofilesystem=home, then the developer gets access to it. Having a sandbox that is optional for the developer rather goes against the point of a sandbox, don't you think?

I'm not unsympathetic to Flatpak developers, though. The status quo on Linux for decades has been, "you get access to everything." If Flatpak enforced that sandbox, more than half of the apps on Flathub right now just wouldn't work because they don't support the filesystem portal.

I think GNOME and KDE need to do the work of manually restricting Flatpak apps' access to sensitive permissions like home by default, maybe in a few years when the idea of the filesystem portal has had time to gestate among developers. Kind of like how Firefox's HTTPS-only mode (which I think should be the default) prevents you from accessing the website unless you give permission.

That's something we can work on, I think. At least we have a way to get there.

KDE Plasma now includes a GUI settings page that allows to change these.

I think GNOME needs to integrate that into their settings, I mean just include damn Flatseal as a settings page…

I recall saying the exact same thing. They have a built-in area for it in the Apps section. They'll probably get around to it eventually...

There are packagers maintaining a shitload of apps at once.

It's pretty crazy. I think this is probably the craziest example: https://old.reddit.com/r/archlinux/comments/f3wrez/much_love_to_felix_yan_an_arch_maintainer_from/

Felix Yan is awesome to be maintaining thousands of packages for Arch. But man, that's a lot of work. If we could reduce the workload of our package maintainers who rarely receive any gratitude (usually only demands) and let them focus on the really important packages, I think that would also be awesome.

[–] [email protected] 2 points 5 months ago (1 children)

Yay my answer was deleted...

before the developer touches it doesn't matter

It matters as the security rating is based on that, apps like KDE Systemsettings or Flatseal show that etc.

I agree that asking for permissions is better.

Placing an override in ~/.local/share/flatpak/overrides/global would be an easy workaround.

Desktops could implement dialogs that use the currently preset permissions.

Having a sandbox that is optional for the developer rather goes against the point of a sandbox, don't you think?

No, these are defined, enumerated holes in a sandbox. Without a sandbox you need to monitor the behaviour yourself or other things.

This is the only good working GUI sandbox I know.

half of the apps on Flathub right now just wouldn't work because they don't support the filesystem portal.

Important point here:

  • the portal should allow static permissions too
  • apps that dont support portals would also not support asking for permissions, natively. A workaround could be done, using dbus, and asking for everything when the app is launched first time, BUT
  • Linux has a tiny marketshare
  • flatpaks are not the only ones
  • people dont care about security that much (look at my survey, I will post an evaluation soon)
  • permissions on Linux are more complex than on the actively restricted Android. External media, devices, filesystems etc

HTTPS-only mode (which I think should be the default)

I should open a bug about this. It cant be that this is not default, it works well and I agree on the style of implementation.

But this would also need apps to have that mechanism. A Libreoffice will just say "file doesnt exist" currently.

let them focus on the really important packages

Thats why I like Fedora Atomic. The core is as small as possible, the apps are just base stuff or upstream stuff like the Desktop. Everything else is a Flatpak.

It is so much more secure.

RHEL / CentOS has different repos for core and extras. More distros will do that

[–] [email protected] 1 points 5 months ago (1 children)

It matters as the security rating is based on that, apps like KDE Systemsettings or Flatseal show that etc.

That's a good point.

Linux has a tiny marketshare people dont care about security that much permissions on Linux are more complex than on the actively restricted Android. External media, devices, filesystems etc

That's true.


I think my issue with the Flatpak sandbox is I understand how it works and what its limitations are (and I'm mostly fine with them), but the average user doesn't. I was reluctant to try Flatpak before understanding how it worked, but now that I know how it works, I think it's fantastic! But it's also a work-in-progress. What we have now is good, but I think it could be better. Not entirely sure how it gets better though.


Thats why I like Fedora Atomic. The core is as small as possible, the apps are just base stuff or upstream stuff like the Desktop. Everything else is a Flatpak.

I'm still not really sure where I stand on Fedora Atomic. Lack of H.264 decoding by default is a damaging choice. They should just include openH264 in the base image, reproducibility be damned. Give it 5 more years and maybe this will be revisited...

Nova + Zink + NVK will solve some of the problem with NVIDIA (maybe even very soon), but not hardware decoding currently, which is a big one.

Gamescope doesn't work great in a Toolbox. It works fine in Flatpak, but Bottles doesn't let me use Gamescope options. I think Lutris does, but I haven't tried it out yet.

And how am I supposed to install fonts without layering them on?? I've been copying them to ~/.local/share/fonts manually.

I think the idea is cool. But I think a few more parts of the ecosystem need to be in place first. I'll keep using it for now.

[–] [email protected] 1 points 5 months ago (1 children)

What we have now is good, but I think it could be better.

I maintain a list of recommended Flatpak apps.

I had a damn Librewolf crash some time ago, the RPM is broken, switched back to Firefox... so I lost about 3 hours of overhaul of that list as it is currently very messy.

But if it is fixed, feel free to submit apps to be included, to have a "goodness enumerating" list of apps, rather than a huge mess of random apps.

Lack of H.264 decoding by default

They dont include that? I thought they would...

I use Fedora kinoite-main from uBlue which is very close to upstream but fixes many issues for me.

UBlue focussing on their very opinionated variants is a bit annoying, because it is now pretty hard to find a guide how to install kinoite-main. I just have a bookmark of their archived website.

Give it 5 more years

If this is actually an issue I would like to tackle that. I am currently doing a Change Proposal to make the default rpm-ostree permissions reasonably secure.

So this is an issue with reproducability? I dont think so? Cisco builds the binaries for Fedora and it gets installed. The packages are not from their repos, but the typical sync issues would not occur on Atomic.

but not hardware decoding currently, which is a big one

Yeah for sure, I think for Intel and AMD too, hardware h264 for example. AV1 in OBS will be awesome though.

But thats why I use uBlues base images, it is Fedora and I say I use Fedora and participate in their community, but their base images have a ton of stuff I dont agree with (toolbox, missing random packages, too simplistic installer...)

[–] [email protected] 1 points 5 months ago (1 children)

I maintain a list of recommended Flatpak apps.

I'm very familiar with you, haha. You keep popping up wherever I go these days. You're everywhere. Maybe not quite as omnipresent as Neal Gompa.

I can think of a few Flatpaks that could fit on that list.

They dont include that? I thought they would…

It's the same old story with codecs. Fedora would love to support as many codecs as possible, but H.264 is patent-encumbered so they can't. They had hardware decoding support through Mesa a few years ago but then they...changed it.

Fedora Atomic wants to include the OpenH264 enablement package for Firefox inside the Fedora Flatpak eventually which will solve most of the problem as that is where people are playing H.264 most often.

So this is an issue with reproducability? I dont think so? Cisco builds the binaries for Fedora and it gets installed. The packages are not from their repos, but the typical sync issues would not occur on Atomic.

My understanding is OpenH264 is provided in binary-only format to Fedora because otherwise the royalty-free license cannot apply (i.e. Fedora can't build it from source). Fedora only ships free software. OpenH264 is free software. But it's binary-only. So they need to trust Cisco has built the binary correctly. I assume the reason they don't include it by default is because the only way to trust it's built from the same sources is to reproduce the build. Otherwise, I really don't see the issue.

OpenH264 is not a part of the base system so you need to layer it on. OpenH264 doesn't have support for High 10 Profile video which is fairly common off the web and is generally inferior to x264, I've found, but at least it's something.

And the reason I mention "5 years" is because by then, most of the patents on H.264 will have expired. With the exception of the new ones from just a few years ago that no one really uses. Maybe Fedora can enable x264 in their ffmpeg build then and we can stop talking about it. I am so sick of talking about H.264.

I use Fedora kinoite-main from uBlue which is very close to upstream but fixes many issues for me.

Call it a personal challenge or whatever but I'm sticking to Fedora Silverblue for the foreseeable future. uBlue is almost certainly a better experience for most people.

Yeah for sure, I think for Intel and AMD too, hardware h264 for example.

That's not true if you're using Flathub packages. Flathub ships userspace Mesa drivers which enable hardware decoding for Intel and AMD GPUs even with H.264 and H.265.

but their base images have a ton of stuff I dont agree with (toolbox, missing random packages, too simplistic installer…)

uBlue does solve the two big issues with Fedora, which is codecs and proprietary NVIDIA drivers. Any other issues are tiny in comparison. I will say I prefer Toolbox to Distrobox, despite using Distrobox first. I certainly understand that's an unpopular opinion and not one a lot of people share. It's probably the same reason you use KDE and I use GNOME (most of the time).

I've always hated the Fedora installer. Does uBlue do something different?

[–] [email protected] 1 points 5 months ago (1 children)

You keep popping up wherever I go these days.

Funny, I use that name not so long. Currently hyperfocused on Fedora Discuss, Lemmy and Github.

Although I should really change my stuff to some Forgejo instance and just mirror to Github.

I thought a lot about tech resiliance in the last days, I am from germany and the people here are stupid. They literally elect people that will make a neofascist surveillance hell reality.

I wonder how Tor, Tails and others handle their code stuff. Apart from selfhosting their services of course. Like resiliance, I think decentralized code repos are crucial.

I really like how uBlue just used the official Fedora OCI images (that they produce but dont even use) and used all the container tooling to create this awesome project.

But relying on Github is insane, it is owned by Microsoft and they dont give a damn about freedom. It is pretty scary, 90% of my Android apps are also on Github.

I want to build my own variant, KDE and minimal only, maybe GNOME if contributors join. But no more, all the freedom is great but it is huge maintenance.

H.264 is patent-encumbered so they can't

I thought Ciscos trick could fix that? They are a huge company, pay the max amount of money already and can just share the software with their license to anyone.

inside the Fedora Flatpak

Not sure if that is the best way. Flatpak has runtime extensions, and rpmfusion could build one for the entire ffmpeg and more. This could just be added from an external repo and installed along.

Or they include openh264 in their runtime.

Fedora Flatpaks got quite a boost recently and even have some KDE apps not on Flathub.

the only way to trust it's built from the same sources is to reproduce the build.

Well... rpmfusion could do that? And act like a "3rd party auditor" ?

doesn't have support for High 10 Profile video which is fairly common off the web

Interestesting, never heard that. I use Celluloid Flatpak which is pretty great (I wish Haruna would get their basics together like customizable UI, working subtitles, working queue etc).

So the only reason to have ffmpeg is nice terminal stuff, Dolphin extensions or just video previews in Dolphin. Nautilus supports that via a Flatpak right? Thats cool.

we can stop talking about it. I am so sick of talking about H.264.

Fuck patents. I am happy that we now have AV1 and dont really know why VP9 is not more used? It is a pain!

Call it a personal challenge or whatever

I have a command text file with the exact command I need to reproduce my install. One for Fedora Kinoite, one for Kinoite-main.

It is just a few packages and I really only need the things I mentioned.

I also dont like Aurora or others that much, they have too much stuff added.

That's not true if you're using Flathub packages.

True, Flatpak is cool. Dolphin is also available as one, I need to test if it works with Flatpak ark and all that, udisks2, mounting stuff, MTP, maybe SMB.

prefer Toolbox to Distrobox

Interesting, why? I need to try it again.

Do you know btw how to upgrade a F39 distrobox to F40? Distrobox has some "assemble" function to rebuild it with a config file. But traditional dnf system-upgrade doesnt work.

It's probably the same reason you use KDE and I use GNOME (most of the time).

Why? Curious.

No uBlue uses Anaconda too, which is a whole set of stuff. They are testing the new UI (a component of Anaconda) for workstation exclusively.

uBlue pioneered in making Anaconda work for installing OCI rpm-ostree btw

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

Looks like we frequent the same circles, then.

I thought a lot about tech resiliance in the last days, I am from germany and the people here are stupid. They literally elect people that will make a neofascist surveillance hell reality.

But hey, Germany was responsible for the Sovereign Tech Fund, which has made a big difference for GNOME and accessibility with the Newton stack. So it's not all bad. Not that I live there.

But relying on Github is insane, it is owned by Microsoft and they dont give a damn about freedom. It is pretty scary, 90% of my Android apps are also on Github.

That's the main reason I don't use uBlue. The idea of booting my entire operating system from a container created on Github's infrastructure is just...it scares me. Even though much of the free software I rely on is hosted on Github. And yes, most of my Android apps are also from Github.

I want to build my own variant, KDE and minimal only, maybe GNOME if contributors join. But no more, all the freedom is great but it is huge maintenance.

That's a nice idea. I wonder if Sourcehut does container registries...I know people praise their CI.

I wonder how Tor, Tails and others handle their code stuff.

I know Tor uses Gitlab. Seirdy has an article series on "Resilient Git".

I thought Ciscos trick could fix that? They are a huge company, pay the max amount of money already and can just share the software with their license to anyone.

Yes, however it only covers their implementation (which is lacking) and it only covers binaries they create.

Well… rpmfusion could do that? And act like a “3rd party auditor” ?

I'm thinking about Fedora including the build in their own repositories. It would be really nice if H.264 decoding was just default and you didn't need to do anything.

doesn’t have support for High 10 Profile video which is fairly common off the web

Interestesting, never heard that.

See the following thread for all of the research I did: https://discussion.fedoraproject.org/t/h-264-support-in-fedora-workstation-by-default/114521

Michael Cantazaro had a really helpful and enlightening response: https://discussion.fedoraproject.org/t/h-264-support-in-fedora-workstation-by-default/114521/5

I use Celluloid Flatpak which is pretty great

So do I. But keep in mind there are two Celluloid Flatpaks you can install; one is from Fedora Flatpaks which disables H.264/H.265/VC-1 decoding and the other is from Flathub with all features enabled.

GNOME Software tends to select Fedora Flatpaks first. So users can end up really confused; see: https://github.com/flathub/io.github.celluloid_player.Celluloid/issues/140

Nautilus supports that via a Flatpak right? Thats cool.

File previews are supported via the Sushi extension, which is available as a Flatpak. Obviously, it doesn't work on H.264/H.265/VC-1 media because it's a Fedora Flatpak.

I really need ffmpeg because it's a crucial part of my workflow because I convert so much media. But that's fine; I just use it in a Toolbox.

But Nautilus works really well as a Flatpak. It even seems faster than non-Flatpak Nautilus and I have no idea why.

True, Flatpak is cool. Dolphin is also available as one, I need to test if it works with Flatpak ark and all that, udisks2, mounting stuff, MTP, maybe SMB.

KDE made a big push to make all of their programs available as Flatpaks. And Snaps. Which I think is great. But you end up in a weird situation where the Krita Flatpak is not officially supported by Krita because no one at Krita works on maintaining the Flatpak. Rather, they support only AppImage officially, probably because it's easier to maintain their insane patchset than with Flatpak. Not having any experience with distribution systems aside from Flatpak, I really don't know what niceties Snap or AppImage provides.

Interesting, why? I need to try it again.

Nothing much has changed since last you commented on that Toolbox thread I was reading :)

I think Toolbox is the right way to solve the problem. It's using a real programming language (Go) instead of bash, it supports a small set of important container images, and those container images are only provided from quay.io, Red Hat's own infrastructure, instead of Docker Hub.

But it lacks some features intentionally (and some just because they haven't gotten around to it). Like distrobox export. Annoying to manually patch in but not hard. I use Toolbox for Signal and Steam because I don't want to use Unverified Flatpaks.

Do you know btw how to upgrade a F39 distrobox to F40? Distrobox has some “assemble” function to rebuild it with a config file. But traditional dnf system-upgrade doesnt work.

I don't think upgrading Distroboxes or Toolboxes is supported. They're meant to be destroyed and re-created. Really inconvenient, but I guess the proper way of maintaining toolboxes/distroboxes is through Containerfiles.

So I don't use Fedora containers. Or Ubuntu containers. Or Debian containers.

I use Arch because it's a rolling release and you just keep updating it. No upgrade problems so far...aside from all the errors I ignore (everything seems to work fine). Also, I really like the Arch userland and it has Signal Desktop in the official repositories.

It really makes me feel at home on Fedora.

It’s probably the same reason you use KDE and I use GNOME (most of the time).

Why? Curious.

I think GNOME provides a more coherent and consistent experience for users. I'm okay with not having features like a system tray, desktop icons, or window buttons I never use. I really love GNOME. It's changed the way I use computers and has made everything aside from KDE feel like a completely inferior experience in comparison.

But I use KDE for my multi-monitor system because frankly, GNOME is an awful experience if you have more than one monitor with different resolutions. KDE kind of sucks too, but it's not completely broken. KDE is practical by solving problems we have now, like letting XWayland applications scale themselves. Because even if it's a total hack that works inconsistently, it works very well for most of the software I use. I find parts of KDE overwhelming (especially the System Settings) but hey, it works.

I like both KDE and GNOME and think each has their own strengths. It's nice to see KDE adopt one of GNOME's killer features (partially), the Overview. It'd be nice to see GNOME adopt a KDE feature like CTRL+META+ESC so I can kill windows graphically even on Wayland.

But god GNOME is annoying when it comes to protocol standardization. At least they're finally implementing DRM Leasing for VR users (not me).

Huh. I thought I was supposed to be sticking up for GNOME. Alright, I use GNOME everywhere else and it's still my favorite desktop by far. They focus on a great experience with what works great now. There are very few hacks in GNOME land. I just think they need to catch up to KDE with Wayland and other areas like the multi-monitor stuff.

[–] [email protected] 1 points 5 months ago (1 children)

Newton stack

Never heard of that, I hope accessibility on Wayland improves.

Neal Gompa mentioned that Flatpaks dont have the permission holes to allow screen readers? Thats crazy and may be possible to fix with a global override.

The idea of booting my entire operating system from a container created on Github's infrastructure is just...it scares me.

Same here. I think it would be nice to create 2 or so base images on an individual host like Codeberg, but I am completely new to all that container stuff.

I wonder if Sourcehut does container registries...I know people praise their CI.

There are so many alternatives. I even have access to a selfhosted Gitea instance which may also be fine.

I know Tor uses Gitlab.

At the surface, yes. But I wonder about the stuff in the background, like decentralized encrypted backups, maybe not traceable or something.

Interesting, will add that blog to my Feeds :D

I'm thinking about Fedora including the build in their own repositories.

For sure it needs to, to be a usable product.

I only see it as a platform which needs to be tweaked to be usable. Currently doing a bit of work, upstreaming some secureblue things (btw the admin blocked be because they... dont like annoying questions?).

Matrix is also horrible for Dev work. People dont use threads so they just spam stuff in a single chat and it just bad...

Also, these change processes are damn slow, but hey, thats fine I guess?

it's a crucial part of my workflow because I convert so much media.

I want to start doing some videos, no idea why OBS just has h264 hardware? I mean it doesnt matter but why no VP9? AV1 will come in 30.1 you know when that is stable?

I would just invoke the ffmpeg from some Flatpak, freedesktop.org runtime may have it. Maybe with some flatpak-spawn it could even have access everywhere?

Do you know what flatpaks (that are not VLC) have ffmpeg as a binary included?

I need to add a better app to this guide since I dont use VLC anymore.

But Nautilus works really well as a Flatpak. It even seems faster than non-Flatpak Nautilus

Interesting, I need to try full-Flatpak Kinoite in a VM. I think Flatpak Firefox is also faster, but I need to benchmark that again.

I did quite a big benchmark including Brave, Firefox Tarball (firefox and firefox-bin), Fedora Firefox, Librewolf, Torbrowser, MullvadBrowser.

Need to do that again. I also compiled FF myself for some time to use it on secureblue with hardened malloc. Funny enough, Fedora FF allows to replace the memory allocator now that I opened an issue, but it is very questionable if hardened_malloc is more secure, and if LD_PRELOAD is a secure way to do that.

Toolbox is the right way to solve the problem. It's using a real programming language (Go) instead of bash, it supports a small set of important container images, and those container images are only provided from quay.io, Red Hat's own infrastructure, instead of Docker Hub.

I agree on these points. Is it considerably faster? Because bash is slow as hell, I need to start learning some real language as my bash scripts start getting a pain. (Especially the Arkenfox (FF and TB) scripts need to get a big overhaul and I am still bery unhappy with them).

I use Toolbox for Signal and Steam because I don't want to use Unverified Flatpaks.

Well I hope you use an Ubuntu container because I bet these packages are also not "verified" on Arch ;)

I use 90% verified and just have the verified subset repo around to check if an app is. If it is, I get 2 installation repos.

But these both apps are also Electron apps and supposedly containers dont restrict user namespace creation, so they are the best way to run these apps. According to uBlue devs, Firefox too.

Or Debian containers.

You could use Debian Testing which is rolling afaik.

Fedora rawhide is too unstable, OpenSUSE has some strange package issues (I use QGis and RStudio).

RStudio uses the system package manager to add dependencies, nice concept but annoying on atomic. There is this guy that just builds the entire R libraries as RPMs on COPR, he had to reduce the repos priorities because it prevented all the other projects from building their stuff.

Does Arch have Rstudio stuff? I really think they should just abandon that concept and build the libraries themselves, and install them to the app directory...

Same for QGis but that needs pip.

It really makes me feel at home on Fedora.

Ironic. But I really wonder what to use. Basically its

  • Debian Testing
  • OpenSUSE Tumbleweed
  • Arch
  • ... ?

These damn package names. Or maybe dnf5 could solve this? I really like Fedora packages, they are often very good.

Also when it comes to deduplicating libraries, I dont need a separate distro in a container, I need a clone of my current system and just a few packages and their specific dependencies on top. Not sure how this could work, especially in RAM, there is a thread somewhere on Discuss.

[–] [email protected] 2 points 5 months ago (1 children)

Never heard of that, I hope accessibility on Wayland improves.

Here's a recent article: https://blogs.gnome.org/a11y/2024/06/18/update-on-newton-the-wayland-native-accessibility-project/

So do I.

Neal Gompa mentioned that Flatpaks dont have the permission holes to allow screen readers? Thats crazy and may be possible to fix with a global override.

I think GNOME is working on a portal for that. After the Newton stack is in a good state.

Same here. I think it would be nice to create 2 or so base images on an individual host like Codeberg, but I am completely new to all that container stuff.

Codeberg is probably a good host for that.

Currently doing a bit of work, upstreaming some secureblue things (btw the admin blocked be because they… dont like annoying questions?).

Lol. How strange.

Matrix is also horrible for Dev work. People dont use threads so they just spam stuff in a single chat and it just bad…

I don't much like Discord either. Issue tracker is the right place for this sort of discussion in my opinion. Or Sourcehut's mailing lists are fine too.

Also, these change processes are damn slow, but hey, thats fine I guess?

I guess that's kind of the point :)

I want to start doing some videos, no idea why OBS just has h264 hardware? I mean it doesnt matter but why no VP9? AV1 will come in 30.1 you know when that is stable?

I'm usually converting other people's media, so I don't have much experience with OBS. But as for VP9, the industry was gun-shy about it because MPEG-LA threatened to sue Google over patent infringement for it. Essentially the same sort of deal with Sisvel and AV1, except MPEG-LA never followed through on it. Hardware encoding for VP9 has apparently never taken off, but hardware decoding is all around.

Do you know what flatpaks (that are not VLC) have ffmpeg as a binary included?

There's: https://flathub.org/apps/org.gnome.gitlab.YaLTeR.VideoTrimmer

Browser benchmarking

Honestly, as long as I don't notice it, it doesn't bother me. I only noticed Flatpak Nautilus' launch time because it was instant.

Toolbox: Is it considerably faster?

I think so. It at least seems more reliable. I got a bunch of weird bugs with Distrobox in the beginning but I guess I was pushing it pretty far.

I need to start learning some real language as my bash scripts start getting a pain.

I kind of hate Python but it's at least more pleasant than Bash. I've no experience with Go, but it's probably nice to write.

Well I hope you use an Ubuntu container because I bet these packages are also not “verified” on Arch ;)

Ah, well, I use Arch for all my other computers so I feel like I'm already trusting Arch's devs for all my packages. What's one more?

I use 90% verified

I make an exception for Anki and MakeMKV.

You could use Debian Testing which is rolling afaik.

I kind of hate Debian and Ubuntu's userpsace :) It's okay on servers.

Does Arch have Rstudio stuff?

It has it in the AUR, but not as an official package. In most cases the AUR is just as good anyway.

Or maybe dnf5 could solve this?

DNF5 will definitely shake things up. Because rpm-ostree is going away to be replaced by dnf again.

[–] [email protected] 1 points 5 months ago (1 children)

There's: https://flathub.org/apps/org.gnome.gitlab.YaLTeR.VideoTrimmer

This has an empty ffmpeg folder but no binary. Same with bottles, guiscrcpy, celluloid, newsflash, interstellar, digikam, haruna, krdc, obs studio,

But searching for "ffmpeg" I found io.github.aandrew_me.ytdn

It has the ffmpeg binary included.

Many projects use libffmpeg.so dont know if that could be used too.

I got a bunch of weird bugs with Distrobox in the beginning

Honestly never had issues. I now use an Arch distrobox too, but I dont really need Distrobox anyways. The Arch repos are too small.

There is a COPR for RStudio-copr-manager and the entire CRAN module list as RPMs. Otherwise you have a hard time getting the R plugins you may need to your distro.

QGis needs some python integration which seems to be missing on Arch too.

With the COPR I know who to trust, unlike the AUR, even though I now also setup yay.

Everything nearly separated from my OS using the different distrobox homedirs which work flawlessly.

Also distrobox upgrade --all works awesome its just a wrapper but really valuable.

I make an exception for Anki and MakeMKV.

I have no idea because I install everything from unverified. Should learn how to swap remotes, then I could swap all the verified apps and when removing the unverified can check what I still use.

But unverified Flatpaks may be way better than distro packages. At least it is very transparent on Github (yeah, sucks) unlike strange distro build systems.

I kind of hate Debian and Ubuntu's userpsace :)

What, GNU utils? What makes it special, apart from apt? They have nala so that is dealt with.

DNF5 will definitely shake things up. Because rpm-ostree is going away to be replaced by dnf again.

Yeah this will be crazy. dnf has a lot more commands for querying etc, that will be useful.

It also sounded like they would reinvent the wheel a bit? Dont know

[–] [email protected] 1 points 5 months ago (1 children)

This has an empty ffmpeg folder but no binary

That's strange. I downloaded it just now and converted a video. It's not in /app/bin but in /usr/bin instead. I know for a fact it relies on the ffmpeg binary inside the code. You can even access it using flatpak run --command=ffmpeg org.gnome.gitlab.YaLTeR.VideoTrimmer.

The Arch repos are too small.

Eh, I've never felt that way. Even on my Arch system, I only have 15 packages from the AUR and 2134 packages installed from the repositories. But it's probably smaller than you're used to if you're coming from Debian or Fedora.

Many projects use libffmpeg.so dont know if that could be used too.

That library is designed for development as far as I'm aware. I noped out very quickly when looking at the documentation for using ffmpeg libraries :) I think that's why VideoTrimmer relies on the binary instead of the library too.

With the COPR I know who to trust, unlike the AUR, even though I now also setup yay.

I take a different view: I don't trust anybody, but I read the PKGBUILDs and understand them. They're often not complicated. I don't particularly like the AUR much anymore though for this reason.

Everything nearly separated from my OS using the different distrobox homedirs which work flawlessly.

I did try this for a while but I couldn't get used to it. And programs can bypass it anyway with /home/$USER if they're feeling vindictive, though I haven't run into any yet. It'd definitely be nice to have more complete isolation one day.

Also distrobox upgrade --all works awesome its just a wrapper but really valuable.

100% yes. Be nice to have that in Toolbox one day.

But unverified Flatpaks may be way better than distro packages. At least it is very transparent on Github (yeah, sucks) unlike strange distro build systems.

I'm with you there. I can understand PKGBUILDs but everything else is just far too complex for me. Or unfamiliar. The docs for packaging Fedora RPMs is scary as hell.

What, GNU utils? What makes it special, apart from apt? They have nala so that is dealt with.

To be honest, it's mostly apt. I really hate apt. I am also not very familiar with how the system is configured. It's very different from Arch, anyway. I can just never feel at home on an Ubuntu system even in a container, but I do run it on servers.

I've downgraded my "hate" to "it's fiiine".

Yeah this will be crazy. dnf has a lot more commands for querying etc, that will be useful.

It also sounded like they would reinvent the wheel a bit? Dont know

I really have no idea what to expect. But if I never need to use rpm for querying or whatever again I'll be happy.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

That's strange

Seems you can use all the libraries too as if they were binaries. Updated my Fedora post.

Currently testing how to run the freedesktop.org runtime with home permission, this would allow to not give any app permanent home permission.

But wait, you can run apps with different permissions temporarily, right?

Like flatpak run --filesystem=home org.app.name

but I read the PKGBUILDs and understand them.

That is the best way but not scalable for most users. You need access control and trust. On COPR I add the repo of an individual and only get packages from them.

And programs can bypass it anyway with /home/$USER if they're feeling vindictive, though I haven't run into any yet. It'd definitely be nice to have more complete isolation one day.

This is not about isolation, even though this should totally be done. Its just about preventing dotfile mess.

Scalable, you know. A system should stay vanilla in 20 years, in 40 years.

In the end it would be

  • core minimal system
  • /etc has some settings pinned or none at all, the rest is always flushed from /usr/etc (issue)
  • the immutable rest is always upstream
  • the bootloader is updated with bootupd
  • flatpaks have their configs isolated, when they are uninstalled, their data is removed
  • distroboxes are ephemeral, they are used for tasks, managed through a GUI app with a set of commands (like "add this repo" and packages to install, or even building blocks or checkboxes), they are recreated with OS releases
  • the distroboxes have their own dotfiles which never overlap
  • the desktop has figured out a way to cleanup old dotfiles

I mean we are not there yet, but close.

I really hate apt.

Apt is an ugly mess and nala might be python bloat but it looks fancy and automates things. Now that it runs on Debian 12 I installed it everywhere.

I really have no idea what to expect. But if I never need to use rpm for querying or whatever again I'll be happy.

Yeah or add curl instructions to projects like librewolf, to avoid needing "oh and on atomic distros you dont use 'dnf blabla' but download it directly".

Even though I like my COPR command...

[–] [email protected] 2 points 5 months ago (2 children)

I like flatpak as it helps me keep bloat down. I always find that native packages eventually pollute the system. Flatpaks do somewhat as well but I can manually delete the app storage if necessary

[–] [email protected] 8 points 5 months ago (1 children)

I like flatpak as it helps me keep bloat down

Impossible. Like flatpak itself with 5 applications was using more storage than my entire distro with the same apps as appimages on top.

[–] [email protected] 3 points 5 months ago (1 children)

I can't say I have the same experience. Flatpaks keep everything tidy and most GUI stores offer the option to delete app data on uninstall

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

How big is your distro right now?

I am at 4.2 GIB with my distro (artix) + 30 appimages + home. Though stuff like ~/.local/steam is on a different partition.

[–] [email protected] 1 points 5 months ago (1 children)

I'll have to look but I have 6-7 VMs so 4.2Gb is child's play. My SSD is 256Gb so I have plenty of room

[–] [email protected] 1 points 5 months ago (1 children)

I know storage doesn't matter these days, but another different thing is suggesting flatpak "because it keeps bloat down".

[–] [email protected] 3 points 5 months ago (1 children)

Storage isn't everything. Having separate isolated storage locations keeps the cluster down and prevents conflicts. Plus if I need to change something it is easy to find.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

I do that with appimages as they support a portable home. And that location can be moved around.

You can't get bubblewrap sandboxing with appimages in a user friendly way though, but I think I will start working on that (yes I'm serious).

Flatpak hardcoded ~/.var which I found a really bad decision and they had several issues opened on this which went really bad if you ask me:

https://github.com/flatpak/flatpak/issues/46

https://github.com/flatpak/flatpak.github.io/issues/191

https://github.com/flatpak/flatpak/issues/1651

[–] [email protected] 2 points 5 months ago

True, especially the dotfiles. Having them separated in individual per-app directories is awesome